IETF Logo Mail Archive

Re: [Mip6] bootstrap problem definition

Francis Dupont <Francis.Dupont@enst-bretagne.fr> Tue, 17 February 2004 15:05 UTC

Received: from optimus.ietf.org (optimus.ietf.org [132.151.1.19]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01637 for <mip6-archive@odin.ietf.org>; Tue, 17 Feb 2004 10:05:32 -0500 (EST)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1At6mW-0001iD-M7 for mip6-archive@odin.ietf.org; Tue, 17 Feb 2004 10:05:05 -0500
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id i1HF53lc006476 for mip6-archive@odin.ietf.org; Tue, 17 Feb 2004 10:05:03 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1At6mU-0001f0-Uu for mip6-web-archive@optimus.ietf.org; Tue, 17 Feb 2004 10:05:03 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01498 for <mip6-web-archive@ietf.org>; Tue, 17 Feb 2004 10:04:59 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1At6mS-0005ws-00 for mip6-web-archive@ietf.org; Tue, 17 Feb 2004 10:05:00 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1At6l4-0005j7-00 for mip6-web-archive@ietf.org; Tue, 17 Feb 2004 10:03:35 -0500
Received: from optimus.ietf.org ([132.151.1.19]) by ietf-mx with esmtp (Exim 4.12) id 1At6jZ-0005U5-00 for mip6-web-archive@ietf.org; Tue, 17 Feb 2004 10:02:01 -0500
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1At6jY-00086o-Ls; Tue, 17 Feb 2004 10:02:00 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 1At6is-0007ar-Du for mip6@optimus.ietf.org; Tue, 17 Feb 2004 10:01:18 -0500
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id KAA01148 for <mip6@ietf.org>; Tue, 17 Feb 2004 10:01:15 -0500 (EST)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 1At6iq-0005R1-00 for mip6@ietf.org; Tue, 17 Feb 2004 10:01:16 -0500
Received: from exim by ietf-mx with spam-scanned (Exim 4.12) id 1At6hy-0005MM-00 for mip6@ietf.org; Tue, 17 Feb 2004 10:00:23 -0500
Received: from laposte.rennes.enst-bretagne.fr ([192.44.77.17]) by ietf-mx with esmtp (Exim 4.12) id 1At6hF-0005FG-00 for mip6@ietf.org; Tue, 17 Feb 2004 09:59:38 -0500
Received: from givry.rennes.enst-bretagne.fr (givry.rennes.enst-bretagne.fr [193.52.74.194]) by laposte.rennes.enst-bretagne.fr (8.11.6p2/8.11.6/2003.04.01) with ESMTP id i1HEwtL04765; Tue, 17 Feb 2004 15:58:55 +0100
Received: from givry.rennes.enst-bretagne.fr (localhost.rennes.enst-bretagne.fr [127.0.0.1]) by givry.rennes.enst-bretagne.fr (8.12.3/8.12.3) with ESMTP id i1HEwtSj000899; Tue, 17 Feb 2004 15:58:55 +0100 (CET) (envelope-from dupont@givry.rennes.enst-bretagne.fr)
Message-Id: <200402171458.i1HEwtSj000899@givry.rennes.enst-bretagne.fr>
From: Francis Dupont <Francis.Dupont@enst-bretagne.fr>
To: Jari Arkko <jari.arkko@kolumbus.fi>
cc: mip6@ietf.org, James Kempf <kempf@docomolabs-usa.com>
Subject: Re: [Mip6] bootstrap problem definition
In-reply-to: Your message of Mon, 16 Feb 2004 12:20:33 +0200. <40309971.90903@kolumbus.fi>
Date: Tue, 17 Feb 2004 15:58:55 +0100
X-Virus-Scanned: by amavisd-milter (http://amavis.org/) at enst-bretagne.fr
Sender: mip6-admin@ietf.org
Errors-To: mip6-admin@ietf.org
X-BeenThere: mip6@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=unsubscribe>
List-Id: <mip6.ietf.org>
List-Post: <mailto:mip6@ietf.org>
List-Help: <mailto:mip6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mip6>, <mailto:mip6-request@ietf.org?subject=subscribe>
X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on ietf-mx.ietf.org
X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=no version=2.60

I have many comments about your bootstrap I-D:
 - first the problems in the abstract and in the introduction
   are not the same: in the abstract the home environment is dynamic
   and the mobile node does not know it enough. In the introduction
   the only problem of the mobile node is that it has lost the context,
   in particular the IPsec one (no security association of any type).
   Of course the problem you described, what I call "dynamic bootstrap",
   is even harder.
 - (1. intro) with IKEv1 the MN does not need to have a statically
   defined home address and the reason you gave is wrong: the home
   address is unknown during the phase 1. I agree that a static home
   address is easier because it makes authorization rules static, but
   this is not a requirement, just the case you have a chance to get
   implemented (:-).
 - dynamic home agent address discovery is a security nightmare: I agree
   we should not rely on it.
 - (2. MIPv6 conf) all MN-HA mobility signaling (not communications) are
   required to be protected by IPsec.
 - (3.1.1. Dyn H@ Assignment) dynamically assigned is not the opposite
   of statically configurated. And there are known extensions (widely
   implemented but not standardized) of IKEv1 to support dynamically
   assigned "internal" addresses.
 - Home prefix change is not a valid issue because the home agent can
   infer the new home address from the old one.
 - Same for duplicate address collision because the authorization stuff
   can, when it occurs, accept any address which is not in use or
   authorized for another client.
 - I don't understand the "addressing privacy" issue: the home address
   can be a RFC 3041 one. This even makes dynamic authorization easy
   (first come first served)...
 - (3.1.2 Dyn HA@ assignment) this is only about manual keying, isn't it?
   (note that IMHO the manual keying is very incompatible with dynamic
   bootstrap, I'd like to focus on the IKE case)
 - (3.2.1 AAA) Even I agree that IKE should be clearly integrated with
   an AAA system your statement that it can work only with certificates
   is not true.
 - Interconnected PKIs are poor replacements for a real AAA infrastructure
   but they (can) work.
 - IMHO the main advantage of an AAA infrastructure is some security
   properties for the care-of address, perhaps this is the only way
   to get more than a return routability check (included in IKE which
   uses many messages in both ways :-).
 - NAI == USER-FQDN, the real issue is AAA and NAI are user oriented
   when IKEv1 is system oriented.
 - (3.2.2 Opp/Local discovery) The idea of using the DNS to get infos
   about the home was in a very old message of someone from Digital
   in this list (I can grep into my archive to find the reference).
 - (3.3.1 Dormant mode MN) IPv6 prefix change is a matter of weeks
   or months. IMHO the real issue is not with nodes in low power
   dormant mode, but with MNs which are used every X months (every
   IETF meetings for instance :-).
 - (4. scenarios) The first scenario (no pre-existing relationship)
   has a little chance to work with IKEv1 which requires strong
   mutual authentication and authorization.
 - the second one is interesting and should be shown to VPN server
   sellers. IMHO this can be a good extension to standard VPNs,
   and there is no home address assignment issue as VPN stuff in
   general includes an "internal" address management.
 - if I understand the third scenario, the idea is to use the local
   AAA system for access control to do some kind of "local mobility"?
 - I don't understand the fourth/last scenario: there is no way to
   "turn" security associations. And IMHO IPsec people will be very
   against any attempt to define this kind of things.
 - you should add a reference to AAA/MIPv6 requirement document
   (draft-le-aaa-mipv6-requirements-03.txt) which was resubmitted
   by Frank Le (our editor) as AAA gives all you'd like: care-of
   assignment, home agent assignment, home address assignment,
   security properties for all of them, including for the care-of,
   fast or very fast creation of the first IPsec SAs, etc.
   So the (to come) solution document about dynamic bootstrap should
   be only when an AAA infrastructure is not available/used (:-).

Regards

Francis.Dupont@enst-bretagne.fr

_______________________________________________
Mip6 mailing list
Mip6@ietf.org
https://www.ietf.org/mailman/listinfo/mip6

v2.23.0 | Report a Bug | By Email